Skillv1.0.0

ClawScan security

Add Music To Video Canva · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:10 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a connector that uploads videos to an external NemoVideo rendering service and therefore its requested env var (NEMO_TOKEN) and API calls make sense — but you should be aware it will send your video data and use tokens/credits on that external service.
Guidance: This skill appears to be a straightforward connector to an external rendering service (mega-api-prod.nemovideo.ai). Before installing or using it: - Understand that your video/audio files will be uploaded to that external service for processing. Do not use it for sensitive/private videos unless you trust that service and have reviewed its privacy/terms. - If you supply your own NEMO_TOKEN, the skill will act as your account and may consume credits; prefer the anonymous-token flow if you only want to try it. Anonymous tokens are short-lived (7 days) and grant limited free credits according to the SKILL.md. - The SKILL.md asks the agent to detect an install path (e.g., ~/.clawhub, ~/.cursor) and references ~/.config/nemovideo/ — this implies the agent may read certain paths in your home directory for attribution. If you are uncomfortable with that, ask the skill author to remove or explain that behavior. - Note the registry vs SKILL.md minor mismatch about the config path; consider asking the publisher (or avoid granting a permanent account token) until clarified. Overall the pieces are coherent for the stated purpose, but treat the external upload and token usage as the primary privacy/operational risk.

Review Dimensions

Purpose & Capability: noteThe name/description (add music to videos) matches the instructions (upload video, create session, request renders at mega-api-prod.nemovideo.ai). Minor inconsistency: registry metadata reported no config paths, but the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) for attribution; this is plausible but should be clarified.
Instruction Scope: noteSKILL.md stays within expected scope: it sends user video files to the NemoVideo backend, manages sessions/tokens, streams SSE for edits and polls export status. It also instructs the agent to detect install path (to set X-Skill-Platform header), which implies reading user filesystem paths (home directory) — not required for core functionality and worth noting.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk by an installer step in the package itself.
Credentials: okOnly NEMO_TOKEN is declared as required and is the token the skill uses for API calls. That is proportionate for a cloud service connector. The SKILL.md will also generate a short-lived anonymous token if NEMO_TOKEN is not present.
Persistence & Privilege: okThe skill is not always-enabled and does not request system-wide privileges. It instructs keeping a session_id in-memory for operations but does not instruct modifying other skills or system-wide configs.